CIS IIS Benchmark version 1.0

Zyog - Cis

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

36 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Zyog
Nombre de lectures	123
Langue	English

Extrait

Center for Internet Security Benchmark
for IIS 5.0 and 6.0 for Microsoft Windows
2000, XP, and Server 2003
Version 1.0
August 15, 2007
Copyright 2001-2007, The Center for Internet Security (CIS)
Editor: Shyama Rose
Leviathan Security Group

http://cisecurity.org
cis-feedback@cisecurity.org

Table of Contents

TERMS OF USE AGREEMENT ................................................................................ 4
Introduction ................................................................................................................... 7
Applicability .................................................................................................................. 7
1 - Legacy IIS settings ................................................................................................... 8
1.1 Default Install Files8
1.2 Remote Data Services (RDS) .................................................................................... 8
1.3 Internet Printing ........................................................................................................ 9
1.4 URLScan ................................................................................................................. 10
1.5 IIS Lockdown .......................................................................................................... 10
2 - IIS Configuration (Services) ................................................................................. 11
2.1 FTP User Isolation .................................................................................................. 11
2.2 SMTP ...................................................................................................................... 12
2.3 SSL .......................................................................................................................... 13
2.4 Worker Process Identities ....................................................................................... 14
2.5 WebDAV Authentication ........................................................................................ 14
3 - IIS Configuration (MetaBase) .............................................................................. 16
3.1 Anonymous User (anonymousUserName) ............................................................. 16
3.2 Client-side Application Debugging (AppAllowClientDebug) ............................... 17
3.3 Server-Side Application Debugging (AppAllowDebugging) ................................. 17
3.4 ASP Parent Paths (AspEnableParentPaths) ............................................................ 18
3.5 Logging to Windows Event Log (AspLogErrorRequests) ..................................... 19
3.6 ASP Error Messages Setting (AspScriptErrorSentToBrowser) .............................. 19
3.7 Custom ASP Error Message (AspScriptErrorMessage) ......................................... 20
3.8 ASP Session Object Timeout (AspSessionTimeout) .............................................. 20
3.9 Authentication Flags (AuthFlags) ........................................................................... 21
3.10 HTTP Connection Timeout (ConnectionTimeout and ServerListenTimeout) ..... 22
3.11 Directory Browsing (DirBrowseFlags) ................................................................. 22
3.12 FrontPage Extensions Disable (FrontPageWeb) ................................................... 23
3.13 Custom HTTP Error Messages (HTTPErrors) ..................................................... 23
3.14 In Process ISAPI DLL (InProcessIsapiApps) ....................................................... 24
3.15 Logging Options (LogExtFileFlags) ..................................................................... 24
3.16 Local Path (Path) ................................................................................................... 25
3.17 Script Mappings (ScriptMaps) .............................................................................. 25
3.18 Use Hostname in Redirects (UseHostName )26
3.19 Application Pool Identity (WAMUserName)27
3.20 Web Service Extension Restriction List (WebSvcExtRestrictionList) ................. 27
4 - IIS Configuration (ASP .NET) ............................................................................. 29
4.1 SessionState ............................................................................................................ 29 4.2 Authorization .......................................................................................................... 29
4.3 Forms ...................................................................................................................... 30
4.4 Authentication ......................................................................................................... 30
4.5 Compilation............................................................................................................. 31
4.6 Custom Errors31
4.7 HTTPForbiddenHandler ......................................................................................... 32
4.8 HttpRunTime32
4.9 Identity .................................................................................................................... 32
4.10 MachineKey33
4.11 Pages ..................................................................................................................... 33
4.12 ProcessModel ........................................................................................................ 34
4.13 Trace34
4.14 Trust ...................................................................................................................... 34
Revision History .......................................................................................................... 36 TERMS OF USE AGREEMENT
Background.
The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software,
data, information, suggestions, ideas, and other services and materials from the CIS
website or elsewhere ("Products") as a public service to Internet users worldwide.
Recommendations contained in the Products ("Recommendations") result from a
consensus-building process that involves many security experts and are generally generic
in nature. The Recommendations are intended to provide helpful information to
organizations attempting to evaluate or improve the security of their networks, systems,
and devices. Proper use of the Recommendations requires careful analysis and adaptation
to specific user requirements. The Recommendations are not in any way intended to be a
"quick fix" for anyone's information security needs.
No Representations, Warranties, or Covenants.
CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive
or negative effect of the Products or the Recommendations on the operation or the
security of any particular network, computer system, network device, software, hardware,
or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or
completeness of the Products or the Recommendations. CIS is providing the Products and
the Recommendations "as is" and "as available" without representations, warranties, or
covenants of any kind.
User Agreements.
By using the Products and/or the Recommendations, I and/or my organization ("We")
agree and acknowledge that:
1. No network, system, device, hardware, software, or component can be made fully
secure;
2. We are using the Products and the Recommendations solely at our own risk;
3. We are not compensating CIS to assume any liabilities associated with our use of
the Products or the Recommendations, even risks that result from CIS's negligence
or failure to perform;
4. We have the sole responsibility to evaluate the risks and benefits of the Products
and Recommendations to us and to adapt the Products and the Recommendations to
our particular circumstances and requirements;
5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any
corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such
corrections, updates, upgrades, or bug fixes; and
6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever
(whether based in contract, tort, strict liability or otherwise) for any direct, indirect,
incidental, consequential, or special damages (including without limitation loss of
profits, loss of sales, loss of or damage to reputation, loss of customers, loss of
software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff
resources or claims of any kind against us from third parties) arising out of or in
any way connected with our use of or our inability to use any of the Products or
Recommendations (even if CIS has been advised of the possibility of such
damages), including without limitation any liability associated with infringement of
intellectual property, defects, bugs, errors,